Hyperledger fabric:transport: authentication handshake failed: x509: certificate on channel create

问题

I am trying to create a channel in HLF using the following command

peer channel create -o orderer1.base:7050 -c basechannel -f ./channel-artifacts/channel.tx --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/base.order/tlsca/tlsca.base.order-cert.pem

But it's failing due to this error

Failed to send StepRequest to 2, because: rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: connection error: desc = "transport: authentication handshake failed: x509: certificate is valid for orderer2.base.order, orderer2, not orderer2.base" channel=basechannel node=1

Failed to send StepRequest to 3, because: rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: connection error: desc = "transport: authentication handshake failed: x509: certificate is valid for orderer3.base.order, orderer3, not orderer3.base" channel=basechannel node=1

Here is the raft config in configtx.yaml

Raft:
        <<: *ChannelDefaults
        Capabilities:
            <<: *ChannelCapabilities
        Orderer:
            <<: *OrdererDefaults
            OrdererType: etcdraft
            EtcdRaft:
                Consenters:
                - Host: orderer1.base
                  Port: 7050
                  ClientTLSCert: crypto-config/ordererOrganizations/base.order/orderers/orderer1.base.order/tls/server.crt
                  ServerTLSCert: crypto-config/ordererOrganizations/base.order/orderers/orderer1.base.order/tls/server.crt
                - Host: orderer2.base
                  Port: 8050
                  ClientTLSCert: crypto-config/ordererOrganizations/base.order/orderers/orderer2.base.order/tls/server.crt
                  ServerTLSCert: crypto-config/ordererOrganizations/base.order/orderers/orderer2.base.order/tls/server.crt
                - Host: orderer3.base
                  Port: 9050
                  ClientTLSCert: crypto-config/ordererOrganizations/base.order/orderers/orderer3.base.order/tls/server.crt
                  ServerTLSCert: crypto-config/ordererOrganizations/base.order/orderers/orderer3.base.order/tls/server.crt
            Addresses:
                - orderer1.base:7050
                - orderer2.base:8050
                - orderer3.base:9050

Container configuration in docker-compose.yaml

orderer1.base:
    extends:
      file: base.yaml
      service: orderer-base
    container_name: orderer1.base
    environment:
      - ORDERER_GENERAL_LISTENPORT=7050
    networks:
    - byfn
    volumes:
        - ./artifacts/genesis.block:/var/hyperledger/orderer/orderer.genesis.block
        - ./crypto-config/ordererOrganizations/base.order/orderers/orderer1.base.order/msp:/var/hyperledger/orderer/msp
        - ./crypto-config/ordererOrganizations/base.order/orderers/orderer1.base.order/tls:/var/hyperledger/orderer/tls
        - orderer1.base.order:/var/hyperledger/production/orderer
    ports:
    - 7050:7050
  orderer2.base:
    extends:
      file: base.yaml
      service: orderer-base
    container_name: orderer2.base
    environment:
      - ORDERER_GENERAL_LISTENPORT=8050
    networks:
    - byfn
    volumes:
        - ./artifacts/genesis.block:/var/hyperledger/orderer/orderer.genesis.block
        - ./crypto-config/ordererOrganizations/base.order/orderers/orderer2.base.order/msp:/var/hyperledger/orderer/msp
        - ./crypto-config/ordererOrganizations/base.order/orderers/orderer2.base.order/tls:/var/hyperledger/orderer/tls
        - orderer2.base.order:/var/hyperledger/production/orderer
    ports:
    - 8050:8050  

  orderer3.base:
    extends:
      file: base.yaml
      service: orderer-base
    container_name: orderer3.base
    environment:
      - ORDERER_GENERAL_LISTENPORT=9050
    networks:
    - byfn
    volumes:
        - ./artifacts/genesis.block:/var/hyperledger/orderer/orderer.genesis.block
        - ./crypto-config/ordererOrganizations/base.order/orderers/orderer3.base.order/msp:/var/hyperledger/orderer/msp
        - ./crypto-config/ordererOrganizations/base.order/orderers/orderer3.base.order/tls:/var/hyperledger/orderer/tls
        - orderer3.base.order:/var/hyperledger/production/orderer
    ports:
    - 9050:9050  

base.yaml

orderer-base:
    image: hyperledger/fabric-orderer:$IMAGE_TAG
    environment:
      - FABRIC_LOGGING_SPEC=DEBUG
      - ORDERER_GENERAL_LISTENADDRESS=0.0.0.0
      - CORE_LOGGING_LEVEL=debug
      - ORDERER_GENERAL_GENESISMETHOD=file
      - ORDERER_GENERAL_GENESISFILE=/var/hyperledger/orderer/orderer.genesis.block
      - ORDERER_GENERAL_LOCALMSPID=OrdererMSP
      - ORDERER_GENERAL_LOCALMSPDIR=/var/hyperledger/orderer/msp
      # enabled TLS
      - ORDERER_GENERAL_TLS_ENABLED=true
      - ORDERER_GENERAL_TLS_PRIVATEKEY=/var/hyperledger/orderer/tls/server.key
      - ORDERER_GENERAL_TLS_CERTIFICATE=/var/hyperledger/orderer/tls/server.crt
      - ORDERER_GENERAL_TLS_ROOTCAS=[/var/hyperledger/orderer/tls/ca.crt]
      - ORDERER_KAFKA_TOPIC_REPLICATIONFACTOR=1
      - ORDERER_KAFKA_VERBOSE=true
      - ORDERER_GENERAL_CLUSTER_CLIENTCERTIFICATE=/var/hyperledger/orderer/tls/server.crt
      - ORDERER_GENERAL_CLUSTER_CLIENTPRIVATEKEY=/var/hyperledger/orderer/tls/server.key
      - ORDERER_GENERAL_CLUSTER_ROOTCAS=[/var/hyperledger/orderer/tls/ca.crt]
    working_dir: /opt/gopath/src/github.com/hyperledger/fabric
    command: orderer

回答1:

You are mapping ports uncorrectly. It must be:

orderer1 7050:7050

orderer2 8050:7050

orderer3 9050:7050

And remove the environment LISTEN_PORT from every orderer so that the default is always 7050. This means that, in case of orderer 2, you are mapping container inner port 7050 to the external 8050.

Also modify in your configtx.yaml the same thing, so you will have 3 ports 7050. Just avoid modifying internal ports for containers, you are free to modify external ones.

来源：https://stackoverflow.com/questions/59860326/hyperledger-fabrictransport-authentication-handshake-failed-x509-certificate